Apache/Print version
This is the print version of Apache You won't see this message or any elements not part of the book's content when you print or preview this page. |
The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Apache
Introduction
Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web. Many web applications are designed expecting the environment and features that Apache provides.
Apache is redistributed as part of various proprietary software packages including the Oracle Database and the IBM WebSphere application server. Mac OS X integrates Apache as its built-in web server and as support for its WebObjects application server. It is also supported in some way by Borland in the Kylix and Delphi development tools. Apache is included with Novell NetWare 6.5, where it is the default web server. Apache is included with many Linux distributions.
Apache is used for many other tasks where content needs to be made available in a secure and reliable way. One example is sharing files from a personal computer over the Internet. A user who has Apache installed on their desktop can put arbitrary files in Apache's document root which can then be shared.
Programmers developing web applications often use a locally installed version of Apache in order to preview and test code as it is being developed.
Microsoft Internet Information Services (IIS) is the main competitor to Apache, followed by Sun Microsystems' Sun Java System Web Server and a host of other applications such as Zeus Web Server or Nginx.
Introduction/History
History and name
editThe first version of the Apache web server software was created by Robert McCool, who was heavily involved with the National Center for Supercomputing Applications web server, known simply as NCSA HTTPd. When McCool left NCSA in mid-1994, the development of httpd stalled, leaving a variety of patches for improvements circulating through e-mails. These patches were provided by a number of other developers besides McCool, and they thus helped to form the original "Apache Group".
There have been two explanations of the project's name. According to the Apache Foundation, the name was chosen out of respect for the Native American tribe of Apache (Indé), well-known for their endurance and their skills in warfare. However, the original FAQ on the Apache Server project's website, from 1996 to 2001, claimed that "The result after combining [the NCSA httpd patches] was a patchy server. The first explanation was supported at an Apache Conference and in an interview in 2000 by Brian Behlendorf, who said that the name connoted "Take no prisoners. Be kind of aggressive and kick some ass". Behlendorf then contradicted this in a 2007 interview, stating that "The Apache server isn't named in honor of Geronimo's tribe" but that so many revisions were sent in that "the group called it 'a patchy Web server'". Both explanations are probably appropriate.
Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code, with a strong focus on further modularization and the development of a portability layer, the Apache Portable Runtime. The Apache 2.x core has several major enhancements over Apache 1.x. These include UNIX threading, better support for non-Unix platforms (such as Microsoft Windows), a new Apache API, and IPv6 support. The first alpha release of Apache 2 was in March 2000, with the first general availability release on April 6, 2002.
Version 2.2 introduced a more flexible authorization API. It also features improved cache modules and proxy modules.
Introduction/License
License
editThe software license under which software from the Apache Foundation is distributed is a distinctive part of the Apache HTTP Server's history and presence in the open source software community. The Apache License allows for the distribution of both open and closed source derivatives of the source code.
The Free Software Foundation does not consider the Apache License to be compatible with version 2 of the GPL in that software licensed under the Apache License cannot be integrated with software that is distributed under the GPL:
This is a free software license but it is incompatible with the GPL. The Apache Software License is incompatible with the GPL because it has a specific requirement that is not in the GPL: it has certain patent termination cases that the GPL does not require. We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.[1]
However, version 3 of the GPL includes a provision (Section 7e) which allows it to be compatible with licenses that have patent retaliation clauses, including the Apache License.
The name Apache is a registered trademark and may only be used with the trademark holder's express permission.
References
edit
Architecture
Features
editApache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod access, mod auth, mod digest, and mod auth digest, the successor to mod_digest. A sample of other features include SSL and TLS support (mod ssl), a proxy module (mod proxy), a URL rewriter (implemented under mod rewrite), custom log files (mod log config), and filtering support (mod include and mod ext filter).
Popular compression methods on Apache include the external extension module, mod gzip, implemented to help with reduction of the size of web pages served over HTTP. ModSecurity is an open source intrusion detection and prevention engine for web applications. Apache logs can be analyzed through a web browser using free scripts such as AWStats/W3Perl or Visitors.
Virtual hosting allows one Apache installation to serve many different actual websites. For example, one machine with one Apache installation could simultaneously serve www.example.com, www.test.com, test47.test-server.test.com, etc.
Apache features configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces.
Installation
Windows
editThe program can be installed alone from http://www.apache.org/dyn/closer.cgi.
However the best is generally to get it with an all-in-one solution like WAMP or EasyPHP, because it includes the installation or PHP and MySQL at the same time.
Apart from that, a portable all-in-one is XAMPP.
Remark (on a PC):
By default Apache is set to automatically launch at startup which is convenient on a server. However on a PC, it may be better to create a script to start and stop it manually. Example with EasyPHP:
net start ews-dbserver
net start ews-httpserver
net start ews-dashboard
pause
net stop ews-dashboard
net stop ews-httpserver
net stop ews-dbserver
Unix-like
editDebian
edit apt-get install apache2
Gentoo
edit emerge apache
Configuration
editThe service should be restarted manually after the most part of the configuration modifications:
vim /etc/httpd/conf/httpd.conf
#or
vim /etc/apache2/apache2.conf
/etc/init.d/apache2 restart
Configuration
Configuring Apache WebServer
GUI Tools:
There are some GUI tools to configure Apache web server but they mostly do the basic or intermediate levels of configurations. For advanced configuration, modifying the configuration file. is the way to go. Some GUI tools are: Comanche, TkApache, LinuxConf, WebMin, ApacheConf, user_manage. Among them, Webmin is browser based and may be a better choice than the others.
Basic Apache Configuration Information is as below:
Apache has three configuration files:
httpd.conf access.conf srm.conf
httpd.conf is the main file, you can forget about the others.
A basic configuration file may look like the following:
ServerName www.justetc.net #host name .. serving website URL
listen 192.168.0.1:80 # listen to the network interface 192.168.0.1 and port 80
listen 192.168.0.1:400 # listen to the network interface 192.168.0.1 and port 400
User nobody #connect to the apache server as the user nobody #default
Group nobody
ServerAdmin admin@justetc.net #email of the administrator
ServerRoot /usr/locale/apache #apache's main working folder, apache keeps essential files here
ErrorLog logs/error_log #to keep track of errors
TransferLog logs/access_log #check the access, may make website slower
DocumentRoot /home/www/justetc
You can create your own user and set that to access webpages
groupadd -g httpd
useradd -u 999 -g httpd -s /bin/false -c 'Web Server'
then use
User httpd
Group httpd
Configuration/Performance
Performance
editAlthough the main design goal of Apache is not to be the "fastest" web server, Apache does have performance comparable to other "high-performance" web servers. Instead of implementing a single architecture, Apache provides a variety of MultiProcessing Modules (MPMs) which allow Apache to run in a process-based, hybrid (process and thread) or event-hybrid mode, to better match the demands of each particular infrastructure. This implies that the choice of correct MPM and the correct configuration is important. Where compromises in performance need to be made, the design of Apache is to reduce latency and increase throughput, relative to simply handling more requests, thus ensuring consistent and reliable processing of requests within reasonable time-frames.
Virtual hosting
Principle
editVirtual hosting in Apache allows a single instance of the Apache software to host more than one distinct web site. Since only one instance of Apache can use port 80 on a server at once, without virtual hosting each new web site you hosted would need a new server.
Sites hosted under virtual hosting appear to end users as normal sites in every way; the only difference is that fewer server machines are needed to host them. Virtual hosting is commonly used by high-volume low-price web hosting companies, who give each of their customers a virtual host, with potentially hundreds of customers sharing the same server.
Configuration
editTo add a virtual host, edit apache2.conf
(or httpd.conf
). Example:[1]
<VirtualHost MyIP:80>
ServerAdmin admin@site1.com
DocumentRoot /home/site1/public_html
ServerName site1.com
ServerAlias www.site1.com
</VirtualHost>
<VirtualHost MyIP:80>
ServerAdmin admin@site2.com
DocumentRoot /home/site2/public_html
ServerName site2.com
ServerAlias www.site2.com
AccessLog /home/site2/access.log
ErrorLog /home/site2/error.log
<Directory /home/site2/public_html>
AllowOverride All
</Directory>
</VirtualHost>
References
edit
SSL
Install and Configure Apache2 with PHP5 and SSL Support
Required Packages
editapache2 openssl ssl-cert libapache2-mod-php5 php5-cli php5-common php5-cgi
Configuration Steps
editStep 1: generate certificate
editFor generating certificate Use the following command to generate certificates
sudo openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -
keyout /etc/apache2/apache.pem
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:West Bengal Locality Name (eg, city) []:Kolkata Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd. Organizational Unit Name (eg, section) []:Crypto-Devel Common Name (eg, YOUR name) []:Promathesh Mandal Email Address []:promatesh@mat3impex.com
This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the following command to set the correct permissions
sudo chmod 600 /etc/apache2/apache.pem
Note: For generating a certificate signing request give the following command
sudo openssl req -new -key apache.pem -out chikpea.csr
Step 2: listen the port
editBy default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file.
Listen 443
Step 3: enable SSL support
editIf you want to enable SSL support for your apache web server you need to use the following command
sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable. Now you need to restart the apache2 server using the following command
sudo /etc/init.d/apache2 restart
Step 4: configuring SSL Certificate to Virtual Hosts in Apache2
editFirst you need to edit the /etc/apache2/sites-available/default file change
NameVirtualHost *
to
NameVirtualHost *:80
NameVirtualHost *:443
Now you need to configure Virtual hosts using port 80.
Example
edit ServerAdmin webmaster@localhost
.
.
.
configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts.
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
Example
ServerAdmin webmaster@localhost
.
.
.
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
Now you need to restart your apache web server using the following command
sudo /etc/init.d/apache2 reload
Sample Files : sample for “ports.conf” file
Listen 80
Listen 443
sample for “default” file
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
.htaccess
Principle
editIn order to protect a directory in particular (and its subdirectories), it suffices to place a file called .htaccess
inside. Apache will instantly apply its rules after, only in this tree structure. The syntax is the same as the general vhost rules (eg: URL rewriting or protection), unless it will only affect the .htaccess directory (so no Directory
clause).
Attention: the Windows explorer doesn't allow to name some files beginning by a dot, but a text editor is able to save as .htaccess.
Installation
editTo authorize the .htaccess in the site .conf, use AllowOverride
[1]:
AllowOverride All
To forbid them:
AllowOverride None
References
edit
Security
Numerous robots use to try to crack some databases (for instance via PhpMyAdmin or WordPress). To be protected from them, we can play on several criteria.
For example, to forbid to visualize a directory files which hasn't got any index (e.g.: .html, .php), add the code: Options -Indexes
.
Protection by provenance
editAuthorize only two IP to read the directory:
<Directory /usr/share/phpmyadmin/>
<IfModule mod_authz_core.c>
<RequireAny>
Require all denied
Require ip 127.0.0.1
Require ip 127.0.0.2
</RequireAny>
</IfModule>
</Directory>
whitelist with allow (obsolete in Apache 2.4)
edit <Directory /usr/share/phpmyadmin/>
<IfModule mod_access_compat.c>
deny from all
allow from 127.0.0.1
allow from 127.0.0.2
</IfModule>
</Directory>
If the authorization ranges have some addresses in common with the prohibited ranges, it's better to specify their precedence (the lines order in the .htaccess file doesn't change anything):
order allow, deny
- begin by the authorizations and then start the interdictions, by risking to ban what was previously allowed.
order deny, allow
- the contrary is less restrictive.
<Directory /usr/share/phpmyadmin/>
<IfModule mod_authz_core.c>
Require all granted
Require not ip 127.0.0.1
</IfModule>
</Directory>
blacklist avec deny (obsolete in Apache 2.4)
edit <Directory /usr/share/phpmyadmin/>
<IfModule mod_access_compat.c>
order allow,deny
allow from all
deny from 127.0.0.1
</IfModule>
</Directory>
Protection by password
editAuthentication configuration
editIt's imperative to allow the authentication parameters modifications in the Apache settings.
The directive AllowOverride of a parent directory must contain the option AuthConfig
[3].
The directives to place in the .htaccess
are:
AuthType basic
- authentication type communally adopted but poorly secured.
AuthName "My message"
- the text as an invite in the dialog box.
AuthUserFile /etc/apache2/my_passwd
- the passwords file path.
Require valid-user
- specifies that a valid account is needed to accede to the folder.
We can also use Require user toto sasa
to authorize only the two accounts toto & sasa.
The authentication type basic uses not crypted passwords.
Some other more secured types exist, like digest, which is recommended to combine with HTTPS.
The first request is addressed to the protected directory and provokes the displaying of the dialog box, from which the user should identify (with login and password):
- If the password is invalid, the dialog will be displayed again.
- If it's valid, the navigator can record it, and never ask it again until the next relaunching.
Passwords file
editThe following command creates a passwords file called with one user toto:
htpasswd -c /home/user/www/.htpasswd toto
To add or modify a user:
htpasswd /home/user/www/.htpasswd sasa
Then, tell to .htaccess the .htpasswd path with:
AuthName "Protected page"
AuthType Basic
AuthUserFile "/home/user/www/.htpasswd"
Require valid-user
References
edit- ↑ https://httpd.apache.org/docs/2.4/en/howto/access.html
- ↑ https://httpd.apache.org/docs/2.4/en/upgrading.html
- ↑ http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
CGI
CGI scripts
editThe CGI (Common Gateway Interface) is a norm permitting Apache to execute some programs, which can be written in any programming language (Bash, C, Java, Perl, PHP, Python...), from the moment it's executable and it respects certain in/out constraints.
Configure the CGI scripts access
editTo make Apache interpret the scripts, it's necessary to do a minimum of settings in the site configuration.
ScriptAlias
editThe directive (from httpd.conf):
ScriptAlias /cgi-bin/ ''/scripts path/''
precise the folder name where Apache is authorized to executer the CGI scripts.[1]
Unix example:
ScriptAlias /cgi-bin/ /var/www/cgi-bin
Windows example, use the URL format (no backslash):
ScriptAlias /cgi-bin/ "C:/wamp/bin/apache/apache2.2.27/cgi-bin/"
Actually the path /cgi-bin/
doesn't really exist, it's redirected to the scripts path, set by the directive, and it allows to write some URL like http://server/cgi-bin/my_script
.
ExecCGI
editThe following clause activates the option ExecCGI
in /var/www/cgi-bin
, which authorize Apache to execute some scripts on the server:
<Directory /var/www/cgi-bin>
Options ExecCGI
</Directory>
For example, if a script is called essai.cgi
into /home/httpd/cgi-bin
:
<Directory /home/httpd/cgi-bin>
Options ExecCGI
</Directory>
Then, call the URL: http://serveur/cgi-bin/essai.cgi
AddHandler
editThis clause permits to choose the files extensions which will be authorized, eg:
AddHandler cgi-script .cgi .exe .pl .py .vbs
Recapitulation
editFull example on Windows, in the Apache configuration:
ScriptAlias /cgi-bin/ "E:/www/cgi-bin/"
<Directory "E:/www/cgi-bin/">
Options FollowSymLinks Indexes
AllowOverride All
Order deny,allow
Allow from all
Require all granted
</Directory>
In E:/www/cgi-bin/.htaccess
:
AddHandler cgi-script .cgi .exe .pl .py .vbs
Write a CGI program
editThe main constraint concerns the program outputs. If a CGI script generates some data on its standard output, he must display an HTTP header before, allowing to identify them.
Bash
edit#!/bin/bash
# Header
echo "Content-type: text/html"
# Header end
echo ""
# Content to display in the navigator
echo "<html><body>Hello World!</body></html>"
This script generates an HTML page.
Perl
edit#!c:/perl/perl/bin/perl.exe -w
use CGI;
my $query = new CGI;
my $Name = $query->param('Name');
print $query->header();
print "Hello World!"
Python
edit#!C:\Program Files (x86)\Python\python.exe
# -*- coding: UTF-8 -*-
print "Content-Type: text/plain;charset=utf-8"
print
print "Hello World!"
VBS
editFor Windows.[2]
'!c:/windows/system32/cscript //nologo
Wscript.Echo "Content-type: text/html" & vbLF & vbLF
WScript.Echo "Hello World!"
Wscript.Quit 0
Known errors
edit- Error 500 Server error!: replace a
Deny from all
by aAllow from all
.
or
# setsebool -P httpd_enable_cgi 1 # chcon -R -t httpd_sys_script_exec_t cgi-bin/your_script.cgi
- Error 403 Forbidden access: impossible to list this folder, so call directly its files.
- If the file source code is appearing in the navigator: the .htaccess is not properly set.
- couldn't create child process: replace the path after shebang. For example:
#!/usr/bin/perl
par#!c:/perl/perl/bin/perl.exe -w
.#!/usr/bin/env python
par#!C:\Program Files (x86)\Python\python.exe
.
- End of script output before headers: missing header (eg: move the importation before
print "Content-Type: text/plain;charset=utf-8"
). But it can also be the symptom of a compilation error in the script language. - malformed header from script: Bad header: : the header is not adapted (eg: replace
#print "Content-Type: text/plain;charset=utf-8"
byprint "Content-type: text/html\n\n"
if there is aprint "<html>"
after).
Otherwise consult the Apache logs...
References
edit- ↑ http://httpd.apache.org/docs/current/en/howto/cgi.html
- ↑ http://wiki.uniformserver.com/index.php/CGI:_VBScript_CGI